# TLS-ALPN-01
With `tls-alpn-01`-type verification Let's Encrypt (or the ACME-protocol in general) is checking if you are in control of a domain by accessing
your webserver using a custom ALPN and expecting a specially crafted TLS certificate containing a verification token.
It will do that for any (sub-)domain you want to sign a certificate for.
Dehydrated generates the required verification certificates, but the delivery is out of its scope.
### Example nginx config
On an nginx tcp load-balancer you can use the `ssl_preread` module to map a different port for acme-tls
requests than for e.g. HTTP/2 or HTTP/1.1 requests.
Your config should look something like this:
```nginx
stream {
server {
map $ssl_preread_alpn_protocols $tls_port {
~\bacme-tls/1\b 10443;

lighttpd 1.4.53 supports TLS-ALPN-01 without the need to shut down the web server to handle TLS-ALPN-01 verification challenges. (lighttpd still needs to be restarted to begin using updated certificates)